Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 352781 (CVE-2010-2761) - <www-apps/bugzilla-{3.2.10,3.4.10,3.6.4}: Multiple Vulnerabilities (CVE-2010-{2761,4411,4567,4568,4572} CVE-2011-{0046,0048})
Summary: <www-apps/bugzilla-{3.2.10,3.4.10,3.6.4}: Multiple Vulnerabilities (CVE-2010-...
Status: RESOLVED FIXED
Alias: CVE-2010-2761
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/3.2.9/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-26 05:40 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-10 19:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-01-26 05:40:47 UTC
From $URL:

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects.

Recently, Mozilla expanded its security bug bounty program to include web
applications (http://www.mozilla.org/security/bug-bounty.html). As a result,
several new security issues affecting Bugzilla were discovered:

* A weakness in Bugzilla could allow a user to gain unauthorized access
  to another Bugzilla account.

* A weakness in the Perl CGI.pm module allows injecting HTTP headers
  and content to users via several pages in Bugzilla.

* The new user autocomplete functionality in Bugzilla 4.0 is vulnerable
  to a cross-site scripting attack.

* The new automatic duplicate detection functionality in Bugzilla 4.0
  is vulnerable to a cross-site scripting attack.

* If you put a harmful "javascript:" or "data:" URL into Bugzilla's
  "URL" field, then there are multiple situations in which Bugzilla
  will unintentionally make that link clickable.

* Various pages lack protection against cross-site request forgeries.

All affected installations are encouraged to upgrade as soon as
possible.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-01-26 05:42:19 UTC
Torsten, thank you for being on top of the bump. Can we stabilize the new packages, and should we stabilize both 3.2.10 and 3.4.10? Thanks!
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2011-01-26 08:55:49 UTC
Please stabilize 3.2.10 and 3.6.4.

3.2.10 : alpha amd64 ia64 ppc ppc64 sparc x86
3.6.4  : alpha amd64 ia64           sparc x86
                         ppc ppc46           # bug #346403


3.2 and 3.4 suffer from the "defined(%hash) is deprecated" perl-5.12 warning.
Unless somebody requests a patch, i'm happy to ignore it because 3.2 will be end-of-life soon (with the release of bugzilla-4) and 3.4 was never stable.
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2011-01-26 19:20:41 UTC
amd64 done
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-26 19:49:42 UTC
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2011-01-27 16:23:16 UTC
ppc done
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-27 19:20:27 UTC
ppc64 done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-01-30 17:32:02 UTC
alpha/ia64/sparc stable
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-30 17:57:54 UTC
Thank you, everyone.

GLSA Vote: no.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:26:59 UTC
Vote: YES, 

because I think people would like to know if there is an update needed because of: 

* A weakness in Bugzilla could allow a user to gain unauthorized access
  to another Bugzilla account.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-06-14 08:02:42 UTC
CVE-2011-0048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0048):
  Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x
  before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data:
  URI in the URL (aka bug_file_loc) field, which allows remote attackers to
  conduct cross-site scripting (XSS) attacks against logged-out users via a
  crafted URI.

CVE-2011-0046 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0046):
  Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla
  before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before
  4.0rc2 allow remote attackers to hijack the authentication of arbitrary
  users for requests related to (1) adding a saved search in buglist.cgi, (2)
  voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or
  editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6)
  adding, deleting, or approving a quip in quips.cgi.

CVE-2010-4572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4572):
  CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x
  before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote
  attackers to inject arbitrary HTTP headers and conduct HTTP response
  splitting attacks via the query string, a different vulnerability than
  CVE-2010-2761 and CVE-2010-4411.

CVE-2010-4568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4568):
  Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x
  before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly
  generate random values for cookies and tokens, which allows remote attackers
  to obtain access to arbitrary accounts via unspecified vectors, related to
  an insufficient number of calls to the srand function.

CVE-2010-4567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4567):
  Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x
  before 4.0rc2 does not properly handle whitespace preceding a (1)
  javascript: or (2) data: URI, which allows remote attackers to conduct
  cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:35:44 UTC
Vote: YES. Added to pending GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 19:57:38 UTC
This issue was resolved and addressed in
 GLSA 201110-03 at http://security.gentoo.org/glsa/glsa-201110-03.xml
by GLSA coordinator Stefan Behte (craig).